Collaboration is key for captives managing cyber risk
Now is the time for companies to consider using their captives for managing cyber risk, according to a panel of insurers and cyber risk specialists.
However, companies should also stop looking at cyber risk as a single, monolithic peril, and consider a more collaborative approach to the use of data if they are to be more effective at managing one of the most complex risks in the corporate world.
These views were expressed in the opening session of the European Captive Forum, which took place in Luxembourg this week.
Captives have become an increasingly attractive option for the management of cyber risk, partly as a result of the hardening market but also because of the ability to create a more tailored and sustainable risk management strategy, as Soren Stryger, CBO cyber insurance Emea at Aon explained.
“We are seeing more options for coverage and more capacity,” said Stryger. “Now is the time to reconsider your strategy and to use your captive not just for next year’s renewal but for the long term.”
Yet risk managers should also be cognisant of the complexity they are taking on, said Andreas Rouf, head of proposition development, captive services, Zurich. “As a fronter, we get requests to support customers and to propose the most suitable structure. The market is still hard and I don’t think it will be much different in the next few years. It is also a very fast-moving market and I don’t think people know what effect AI will have on cyber risk and the insurance market.”
Nevertheless, there remain many compelling reasons as to why a cyber-focused captive makes sense, said Rouf, not least price. “When prices go through the roof, you need an alternative option,” he said. A captive can also be used to fill in gaps in coverage. And they can also help in securing more primary coverage. “Insurers are pushing for higher retentions and using a captive shows you have skin in the game, so you will also get more primary insurance options,” said Rouf.
A captive can also be used as a cyber data hub and not just an insurance vehicle, added Rouf.
It is often assumed that there is a lack of historical data in the cyber insurance market, and while there may not be decades of loss data as with traditional lines like property, there is no shortage of actual data. The challenge is deciding what is relevant, said Bethany Vohlers, model and product specialist, cyber insurance solutions, Moody’s RMS.
“Cyber is not a single peril, it is a family of perils,” she said. For example, you have high-frequency, low-severity risks like data breaches, and low-frequency, high-severity events like cloud breaches. And there is a vast difference between the two in terms of the potential losses and the impact on a captive. “It is so difficult for captives and insurers,” said Vohlers.
This is where stochastic models can help, suggested Vohlers. “Models can’t predict the future but they can help to describe the risk.”
Vohlers also said that captives have one distinct advantage over traditional insurance coverage in that they are able to adapt to a changing risk landscape and can tailor their strategy to the company as opposed to an insurer, which has to take a broader, industry-wide perspective.
Yet there are still complexities that have to be considered given the interconnectedness of cyber risk, said Gisele Van Tornout, cyber and risk coordinator at Miris Insurance. “It can be difficult to tell where one risk ends and another begins,” she said.
It is also possible that models developed by a captive and tailored to the parent company may have an element of bias. The answer is collaboration, said Van Tornout. “You have to be prepared to open up your dataset. One company’s breach is another company’s threat intelligence.
“With an emerging risk, you do not always know what you don’t know. You require outside help so you need to sit with your chief information security officer and with industry experts, to properly understand the risk you are underwriting.”